[jboss-jira] [JBoss JIRA] (WFLY-1838) Authorisation descision filtered vs. read-only
Kabir Khan (JIRA)
jira-events at lists.jboss.org
Wed Aug 7 04:38:29 EDT 2013
[ https://issues.jboss.org/browse/WFLY-1838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795521#comment-12795521 ]
Kabir Khan commented on WFLY-1838:
----------------------------------
Regarding 1)
I now see if I do the read-resource-description operation as the MONITOR role (last night I wrongly used super user), it does not return security-domain in access-control. I guess that was the original question.
The configured constraints for security-domain are
{code}
"security-domain" => {
"type" => STRING,
"description" => "Specifies the security domain which defines the javax.security.auth.Subject that are used to distinguish connections in the pool",
"expressions-allowed" => true,
"nillable" => true,
"alternatives" => ["user-name"],
"min-length" => 1L,
"max-length" => 2147483647L,
"access-constraints" => {"sensitive" => {
"security-domain-ref" => {"type" => "core"},
"data-source-security" => {"type" => "datasources"}
}},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
{code}
Which has access defined as being sensitive, so it does not appear in the access-control list at all.
{code}
[standalone at localhost:9990 /] /core-service=management/access=authorization/constraint=sensitivity-classification/sensitivity-classification=security-domain-ref:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {"type" => {"core" => {
"configured-requires-access" => undefined,
"configured-requires-read" => undefined,
"configured-requires-write" => undefined,
"default-requires-access" => true,
"default-requires-read" => true,
"default-requires-write" => true
}}}
}
{code}
I think from what you say, access should be renamed addressable, and that this should now only take effect for resources themselves. So, security-domain should appear in the list for access-control. I'm unclear if this is something which has already been done (been on PTO) in other places, and if read-resource-description is the main place not handling this, or if this is a new idea in this discussion. In any case, I now agree we should change read-resource-description.
> Authorisation descision filtered vs. read-only
> ----------------------------------------------
>
> Key: WFLY-1838
> URL: https://issues.jboss.org/browse/WFLY-1838
> Project: WildFly
> Issue Type: Clarification
> Components: Domain Management
> Reporter: Heiko Braun
> Assignee: Kabir Khan
>
> When I look at datasources for example, I can see a difference between :read-resource-description(access-control=true) and the output of :read-resource(){roles=monitor}.
> The first doesn't contain constraints for "security-domain", but the later indicates them as being filtered (access-control response header).
> First question: Is this a bug?
> Second and more general question: Will all filtered attributes be presented as "read=false" & "write=false"?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list